Every organization needs a cybersecurity plan and, while it may seem daunting, creating one may be easier than you think.

In short:

First, you must fully understand the meaning of cybersecurity.

Second, you need to learn what regulators, experts and others mean when they say you need a cybersecurity plan.

Third, you build an effective cybersecurity plan.

1. Cybersecurity definitions: the easy step

The first step is easily accomplished by reviewing a few definitions.

Cybersecurity is the process of protecting information by preventing, detecting, and responding to cyber attacks.

A cyber attack targets an organization’s use of cyberspace to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure; or destroy the integrity of the data or steal controlled information.

Cyberspace is more than just the Internet. It consists of interdependent network infrastructures including the Internet, telecommunications networks, computer systems and embedded processors and controllers.

A cyber event is a cybersecurity change that may have an impact on the organization’s operations, whereas a cyber incident is a cyber event which has had an impact on the organization, prompting the need for response and recovery.

For example: A security breach after a hack or an employee’s loss of an unencrypted USB key with confidential data are cyber incidents. In these two instances, the organization must respond to and recover from the hack or the loss of the USB key.

2. What’s in a cybersecurity plan?

The second step is trickier. Some organizations may not fully understand what a cybersecurity plan entails.

For instance, some may believe that all they need are procedures to respond or recover from a hack or other security breaches.

Protection beats reaction

Although security breach procedures are a key component of a cybersecurity plan, security breach procedures are primarily reactive as they are triggered after the horses have already left the gates.

What organizations need is to manage all the normal organizational activities which have the potential to increase or decrease the likelihood of a security breach; that is, a proactive plan or cybersecurity framework.

A cybersecurity framework is a complete set of resources including policies, procedures, technology, personnel and other resources used to assess and mitigate cyber risks, in compliance with the law and best practices.

You’ve probably already started

Your organization may already have several policies that affect cybersecurity; for example, policies on asset inventory, Internet use and password. You may also have a privacy officer, risk manager or IT manager.

The cybersecurity framework pulls all the various policies and resources together into a comprehensive structure to address cybersecurity.

This is why it can be easier than you think to create a cybersecurity plan: you may already have many of the components in place.

3. Creating your cybersecurity plan is an ongoing process

Building a solid cybersecurity plan may involve a lot of work, but you can divide it up into smaller, more manageable tasks by following these six steps:

Board or board committee: Put cybersecurity on your board’s radar. The board should have oversight of cybersecurity.

Cybersecurity risk assessment: The board should request a high-level cybersecurity risk assessment. This involves identifying the organization’s assets, systems, other resources and policies and identifying the cybersecurity risks associated with these resources.

Reporting, review and next steps: Report on the findings of the risk assessment, review the results and plan next steps. The board should ensure that the organization addresses recommendations arising from the risk assessment.

Form a cybersecurity committee: The board should ensure that there is a cybersecurity committee at the management level, to implement or improve the cybersecurity framework and liaise with the board or the board committee responsible for cybersecurity.

Create a cybersecurity framework: The cybersecurity committee must ensure that the organization creates and organizes resources and written policies and procedures into a cybersecurity framework.

Each policy is tailored to the audience of its manual and based on industry standards developed by the National Institute of Standards and Technology (NIST), particularly its Framework for Improving Critical Infrastructure Cybersecurity, which is currently under revision. NIST has mapped the core functions in its framework to COBIT 5 (Control Objectives for Information and Related Technologies), published by ISACA (previously, Information Systems Audit and Control Association).

These comprehensive policies will help you create and maintain a cybersecurity plan.

Share this:

Apolone Gentles is a CPA,CGA and Ontario lawyer and editor with over 20 years of business experience. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools. Read more here